Sunday, August 21, 2005

Total Information Awareness is not really dead ...

Remember Microsoft Passport and Intel/Microsoft's Palladium? When the public complained the names went away, but the work went forward.

Remember 'Total Information Awareness'? TIA was Poindexter's project to use massive databases to spot terrorists. It was a wee bit controversial (The 'Left Behind' people freak out about this 'number of the beast' stuff. The NRA doesn't like it either. Bush doesn't like them angry, so their opinions matter). It went away.


As Schneier points out, it didn't go away at all. It's come back in other names and forms:
Crypto-Gram: August 15, 2005: Secure Flight

Last month the GAO issued a new report on Secure Flight. It's couched in friendly language, but it's not good...

... The TSA violated federal law when it secretly expanded Secure Flight's use of commercial data about passengers. It also lied to Congress and the public about it.

Much of this isn't new. Last month we learned that the TSA bought and is storing commercial data about passengers [jf: here he means traffic violations, credit ratings, etc. We know the quality of data in these commercial programs is utterly atrocious, and there's no regulation or feedback mechanism.], even though officials said they wouldn't do it and Congress told them not to...

... Commercial data had another use under CAPPS-II In that now-dead program, every passenger would be subjected to a computerized background check to determine their "risk" to airline safety. The system would assign a risk score based on commercial data: their credit rating, how recently they moved, what kind of job they had, etc. This capability was removed from Secure Flight, but now it's back. An AP story quotes Justin Oberman, the TSA official in charge of Secure Flight, as saying: "We are trying to use commercial data to verify the identities of people who fly because we are not going to rely on the watch list.... If we just rise and fall on the watch list, it's not adequate."

... My fear is that TSA has already decided that they're going to use commercial data, regardless of any test results. And once you have commercial data, why not build a dossier on every passenger and give him or her a risk score? So we're back to CAPPS-II, the very system Congress killed last summer. Actually, we're very close to TIA (Total/Terrorism Information Awareness), that vast spy-on-everyone data-mining program that Congress killed in 2003 because it was just too invasive.

Secure Flight is a mess in lots of other ways, too. A March GAO report said that Secure Flight had not met nine out of the ten conditions mandated by Congress before TSA could spend money on implementing the program. (If you haven't read this report, it's pretty scathing.) The redress problem -- helping people who cannot fly because they share a name with a terrorist -- is not getting any better. And Secure Flight is behind schedule and over budget.

It's also a rogue program that is operating in flagrant disregard for the law. It can't be killed completely; the Intelligence Reform and Terrorism Prevention Act of 2004 mandates that TSA implement a program of passenger prescreening. And until we have Secure Flight, airlines will still be matching passenger names with terrorist watch lists under the CAPPS-I program. But it needs some serious public scrutiny.

No comments: